What are current CF9.02 Session Cookie Management Best Practices?

Question

Common \"best practice\" for ColdFusion cookie session cookie management has been to implement something like this:

Answer 1

Um, not using CFID/CFToken. I have not used those client variables for years and instead use ColdFusion session management. It is just too risky to trust those from the client (in my opinion).

The Adobe docs actually have a pretty good write up about managing client state: Managing the client state

What is your case for still needing to use CFID/CFToken?

An excerpt from that Adobe article:

A hacker who has the user’s CFToken and CFID cookies could gain access to user data by accessing a web page during the user’s session using the stolen CFToken and CFID cookies. While this scenario is unlikely, it is theoretically possible.

You can remove this vulnerability by selecting the Use J2EE Session Variables option on the ColdFusion Administrator Memory Variables page. The J2EE session management mechanism creates a new session identifier for each session, and does not use either the CFToken or the CFID cookie value.